From Phishing to Persistence: A CrySome RAT Infection Chain Analysis
This threat involves a sophisticated multi-stage infection chain delivering the CrySome remote access trojan (RAT) via spear-phishing with a logistics rate confirmation lure. The attack uses living-off-the-land techniques, including UAC bypass via the ICMLuaUtil COM interface and in-memory AMSI patching, to evade detection. An open-source tool, WinDefCtl, is employed to disrupt Windows Defender protections before deploying the final payload. CrySome RAT establishes persistence through scheduled tasks and enables attackers to perform hidden VNC access, remote command execution, system reconnaissance, and credential theft from Chromium-based browsers. The campaign highlights the use of publicly available tools combined with legitimate Windows processes to minimize detection and achieve full system compromise.
AI Analysis
Technical Summary
The analyzed infection chain begins with spear-phishing targeting logistics personnel, delivering CrySome RAT through multiple stages. The attackers leverage living-off-the-land techniques such as the ICMLuaUtil COM interface for UAC bypass and patch AMSI in memory to avoid detection. Prior to final payload deployment, the open-source WinDefCtl tool is used to weaken endpoint protections, specifically Windows Defender. CrySome RAT then establishes persistence via scheduled tasks and provides operators with capabilities including hidden VNC sessions, remote command execution, system reconnaissance, and credential theft focused on Chromium-based browsers. This campaign exemplifies modern threat actors' reliance on publicly available tooling and legitimate Windows components to evade detection and maintain persistence.
Potential Impact
Successful exploitation results in full system compromise with persistent remote access. Attackers gain capabilities for stealthy remote control (hidden VNC), execution of arbitrary commands, system information gathering, and theft of stored credentials from Chromium-based browsers. Endpoint protections are weakened using open-source tools, increasing the likelihood of sustained undetected presence. The infection chain leverages multiple evasion techniques, complicating detection and response.
Mitigation Recommendations
No official patch or vendor advisory is provided for this malware infection chain. Mitigation should focus on user awareness to prevent spear-phishing attacks, monitoring for use of known living-off-the-land techniques such as ICMLuaUtil COM interface abuse and AMSI bypass attempts, and detection of the WinDefCtl tool or scheduled tasks associated with CrySome RAT persistence. Endpoint protection solutions should be updated and configured to detect and block known indicators of compromise such as the listed hashes and domains. Since this is a malware campaign rather than a software vulnerability, remediation involves incident response and removal of the malware rather than patching.
Indicators of Compromise
- hash: ff5dbdcf6d7ae5d97b6f3ef412df0b977ba4a844c45b30ca78c0eeb2653d69a8
- hash: f8a3f28ecbd0b08ecab73ef571f16c3d0bd5e009
- hash: 2f4b5a0d98bc4e5616f2dd04337ae674
- domain: signindat.com
- url: https://signindat.com/ElevatorShellCode.exe
- url: https://signindat.com/update.exe
- url: https://signindat.com/patch.exe
- url: https://signindat.com/stage.ps1
- url: https://signindat.com/Rate_Confirmation_LD-2026-0847.pdf
- hash: ec68666e8f0a3b9870d7177bab684c8dcfb8ca0bc7c8c484a71b2b33ea4e26f4
- hash: 53f1da8a032115aa682749a114f4cfebcb5ef933400a89b4bbfa84f2057222ff
- hash: ced4407f4ac7e43c1a3010a394d111d2ad1b50a2e95668b4e9cfe739235e67bd
- hash: b7ca8fd9ebe0a76f16deea315fac7ee94dcb18e6ac2832b5c4cb562fbc6e0ed3
- hash: c380268d493e0cba914ce2bc55faa1d7c050c599893c3196fee01fa745e6466a
- hash: 45a2228e44257169210cc5dc06e12a6c
- hash: de2df0905ece1a1e7f0a70adf36c75deb06b4e4b
- url: https://signindat.com
From Phishing to Persistence: A CrySome RAT Infection Chain Analysis
Description
This threat involves a sophisticated multi-stage infection chain delivering the CrySome remote access trojan (RAT) via spear-phishing with a logistics rate confirmation lure. The attack uses living-off-the-land techniques, including UAC bypass via the ICMLuaUtil COM interface and in-memory AMSI patching, to evade detection. An open-source tool, WinDefCtl, is employed to disrupt Windows Defender protections before deploying the final payload. CrySome RAT establishes persistence through scheduled tasks and enables attackers to perform hidden VNC access, remote command execution, system reconnaissance, and credential theft from Chromium-based browsers. The campaign highlights the use of publicly available tools combined with legitimate Windows processes to minimize detection and achieve full system compromise.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The analyzed infection chain begins with spear-phishing targeting logistics personnel, delivering CrySome RAT through multiple stages. The attackers leverage living-off-the-land techniques such as the ICMLuaUtil COM interface for UAC bypass and patch AMSI in memory to avoid detection. Prior to final payload deployment, the open-source WinDefCtl tool is used to weaken endpoint protections, specifically Windows Defender. CrySome RAT then establishes persistence via scheduled tasks and provides operators with capabilities including hidden VNC sessions, remote command execution, system reconnaissance, and credential theft focused on Chromium-based browsers. This campaign exemplifies modern threat actors' reliance on publicly available tooling and legitimate Windows components to evade detection and maintain persistence.
Potential Impact
Successful exploitation results in full system compromise with persistent remote access. Attackers gain capabilities for stealthy remote control (hidden VNC), execution of arbitrary commands, system information gathering, and theft of stored credentials from Chromium-based browsers. Endpoint protections are weakened using open-source tools, increasing the likelihood of sustained undetected presence. The infection chain leverages multiple evasion techniques, complicating detection and response.
Mitigation Recommendations
No official patch or vendor advisory is provided for this malware infection chain. Mitigation should focus on user awareness to prevent spear-phishing attacks, monitoring for use of known living-off-the-land techniques such as ICMLuaUtil COM interface abuse and AMSI bypass attempts, and detection of the WinDefCtl tool or scheduled tasks associated with CrySome RAT persistence. Endpoint protection solutions should be updated and configured to detect and block known indicators of compromise such as the listed hashes and domains. Since this is a malware campaign rather than a software vulnerability, remediation involves incident response and removal of the malware rather than patching.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.levelblue.com/blogs/spiderlabs-blog/from-phishing-to-persistence-a-crysome-rat-infection-chain-analysis"]
- Adversary
- null
- Pulse Id
- 6a4d09e0fbf878666b3d5afd
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashff5dbdcf6d7ae5d97b6f3ef412df0b977ba4a844c45b30ca78c0eeb2653d69a8 | — | |
hashf8a3f28ecbd0b08ecab73ef571f16c3d0bd5e009 | — | |
hash2f4b5a0d98bc4e5616f2dd04337ae674 | — | |
hashec68666e8f0a3b9870d7177bab684c8dcfb8ca0bc7c8c484a71b2b33ea4e26f4 | — | |
hash53f1da8a032115aa682749a114f4cfebcb5ef933400a89b4bbfa84f2057222ff | — | |
hashced4407f4ac7e43c1a3010a394d111d2ad1b50a2e95668b4e9cfe739235e67bd | — | |
hashb7ca8fd9ebe0a76f16deea315fac7ee94dcb18e6ac2832b5c4cb562fbc6e0ed3 | — | |
hashc380268d493e0cba914ce2bc55faa1d7c050c599893c3196fee01fa745e6466a | — | |
hash45a2228e44257169210cc5dc06e12a6c | — | |
hashde2df0905ece1a1e7f0a70adf36c75deb06b4e4b | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainsignindat.com | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://signindat.com/ElevatorShellCode.exe | — | |
urlhttps://signindat.com/update.exe | — | |
urlhttps://signindat.com/patch.exe | — | |
urlhttps://signindat.com/stage.ps1 | — | |
urlhttps://signindat.com/Rate_Confirmation_LD-2026-0847.pdf | — | |
urlhttps://signindat.com | — |
Threat ID: 6a4d0d07c9d9e3dbe34e7e7a
Added to database: 07/07/2026, 14:28:23 UTC
Last enriched: 07/07/2026, 14:43:14 UTC
Last updated: 07/08/2026, 03:57:11 UTC
Views: 62
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.